Medical device security: How to find the cyberattack hiding from view

The healthcare sector is well-aware that medical devices are vulnerable, but it’s hard to obtain the extra resources to fix the issue.

For a number of years, security researchers have warned that medical device flaws -- operating on legacy platforms, often with default passwords -- are vulnerable to attack. When you consider the number of alerts from the FBIand others, alongside the manufacturer-released patches, the threat is real -- and growing.

But still, one of the biggest questions asked of Christian Dameff, University of California researcher and physician, is: “Can you show me someone who has been hurt by this?”

“It’s not that providers don’t want to shore up the threat,” said Dameff. “There’s just competing resources and time.”

If you ask the board for money to fix the issues posed by medical devices, they’re going to want tangible evidence of real harm, explained Dameff. It’s frustrating, but also great that we can’t just point to someone who has died from this.

Ahead of his presentation at the HIMSS Healthcare Security Forum in Boston on Oct. 15-16, 2018, Dameff broke down the issues still plaguing medical devices and actionable steps for hospitals to take to begin addressing the problem.

Hidden flaws

Dameff gave the example of a disease that has yet to be discovered. How are these found? Doctors will see a strange, new anomaly, so they write it up as a case report. And when enough doctors write strange cases, they’re put together, and it starts getting public health awareness.

The trouble with medical devices is that the same methods don’t apply. Dameff explained that there are a lot of things that prevent an organization from finding out there’s a medical device incident.

“Let’s imagine an infusion pump: it gets infected with malware, cryptomining that’s embedded into the operation. It’s taking up all of its resources and RAM,” said Dameff. “Let’s say it’s infusing a medication, but a nurse is very busy. And the only person that could see it’s acting up would be the nurse.”

“But they’re not going to be looking at the device,” he continued. “These pumps take a lot of the work out of these things, so they’re not [hyper-focused] on the device.”

When a nurse does, in fact, see it’s been going too quickly, who will the nurse call? Dameff explained they’ll contact clinical engineering or biomedical. And here’s the catch: Biomedical is called on these things all of the time. “They’re just going to replace the device in question with the exact same thing.”

“What are they capable of doing? They don’t do forensics. They just factory reset and put it back into production,” said Dameff.

Stitch security into every role

To begin fixing these issues, hospitals need to look at the capabilities they have for finding these malware infections. Dameff said they need to ask: “Is biomed trained? What are their capabilities of detecting when something’s been acting wrong? “

Part of the issue is that “security lives in IT. And that’s only if they have a security person,” said Dameff. The silos between biomed and IT need to be broken down, so that security is done in both and they can better recognize when something happens.

For example, a biomed person who is tech savvy may notice that there’s something wrong with a device and call the vendor, explained Dameff. The device is sent out to the vendor -- without the hard drive -- as they don’t want to be responsible for patient data.

“Once the hard drive is pulled out of the device, any evidence of malware is just not going to be there,” said Dameff. “It’s on the hard drive, and the vendor won’t even know.”

Dameff has asked vendors if they’re doing forensics on these devices, but they can’t because there’s no hard drive. And there’s nothing there on the actual machine.

“It’s a perfect storm,” he said. “Look at how many miraculous things have to happen to find out this has happened. It’s why we haven’t found a lot of examples, and we lack a lot of defense.”

“Progressive, forward-thinking companies have merged [biomed and IT] together. They’re not walled off anymore, and they’re recognizing the need on their ecosystems,” he continued. “It’s important for patches, network segmentation ... It’s forward-thinking.”

In the end, biomed would have “the trump card on devices and can securely deploy devices on the network,” Dameff explained.

“You do all this work to secure the network, but don’t secure devices: It’s more of a structural thing,” said Dameff. “As opposed to relying on patches, you have control as a health organization over this problem.”

Standing on the shoulders of giants

At the end of the day, budget constraints hinder many hospitals and other healthcare organizations. But as others have shared, relying on security information from major organizations and I-SACS can prove invaluable.

“Organizations should leverage security expertise, and stand on the shoulders of giants,” said Dameff. “There are very well-resourced hospitals that have the money to do the right thing with security infrastructure. Hospitals are asked to spend a lot of money, and we’re asking them to spend a lot more money on security.”

“There is no competitive advantage of healthcare security,” he added. “You can’t make more money than the other hospitals [on security matters]. If they’re less secure, we’re all vulnerable. And if the population doesn’t think their data is safe, who’s to say it isn’t going to spread to the user?”

Put another way, why would patients come to a hospital that has been hacked? There are a lot of competitive things, but Dameff stressed that cybersecurity isn’t one of those. We need to be sharing information, on threats, incidents and the like with each other and with I-SACs.

But Dameff took it a step further and said that smaller providers should call out large providers with the budget for security to encourage those organizations to share their wealth of information.

“They can go to device vendors and ask them to show all of the flaws,” Dameff said. “Critical access hospitals can’t do that, as they have no negotiating power, and they don’t have the security experts in health.”

“These other hospitals that can’t do the security in-house could say, for example, ‘hey, Mayo Clinic: Will you share this information with us? You’ve done all of the work.’”

Especially when purchasing new devices, organizations need to leverage the expertise of hospitals who have done this, so then everyone can buy safer devices, he explained.